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Abstract — By simulating four quantum key distribution (QKD) 
experiments and analyzing one decoy-state QKD experiment, we 
compare two data post-processing schemes based on security 
against individual attack by Liitkenhaus, and unconditional secu- 
rity analysis by Gottesman-Lo-Liitkenhaus-Preskill. Our results 
show that these two schemes yield close performances. Since the 
Holy Grail of QKD is its unconditional security, we conclude that 
one is better off considering unconditional security, rather than 
restricting to individual attacks. 

I. Introduction 

Quantum key distribution (QKD) [1], [2] allows two parties, 
a transmitter Alice and a receiver Bob, to create a random 
secret key even when the channel is accessible to an eaves- 
dropper. Eve. The security of QKD is built on the fundamental 
laws of physics in contrast to existing classical public key 
encryption schemes that are based on unproven computational 
assumptions. The unconditional security of the idealized QKD 
system has been proven in the past decade [3], [4], [5], [6]. 

In Shor-Preskill's proof [5], two steps of data post- 
processing, error correction and privacy amplification, need to 
be performed in order to distill a secret key. Error correction 
ensures that Alice and Bob share an identical key, while 
privacy amplification removes Eve's information about the 
final key. Alice and Bob can simply estimate the quantum 
bit error rate (QBER) by error testing and then perform error 
correction. Privacy amplification, on the other hand, requires 
the phase error rate which cannot be measured directly without 
a quantum computer. When an idealized QKD system is 
used, due to the symmetry of BB84, one can assume the 
phase error rate to be the same as the QBER [5]. However, 
any real QKD setup is not ideal but with imperfect sources, 
noisy channels and inefficient detectors, which will affect the 
security. To do security analysis, we should take these effects 
into consideration. 

A few theoretical works have been done to deal with 
the imperfect devices, such as [7], [8], [9], [10], [11], [12], 
[13]. We will compare Liitkenhaus' analysis [8] which deals 
with individual attacks and Gottesman-Lo-Liitkenhaus-Preskill 
(GLLP) [13] unconditional security proof. For convenience, 
we name the data post-procesing schemes, based on these two 
security analyses, after Liitkenhaus and GLLP. 

Meanwhile, many QKD experiments [14], [15], [16], [17], 
[18] have been performed in the past decade. Experimentalists 
sometimes use the QBER as the only criterion for the security 
of QKD. However, after taking the imperfections into consid- 
eration, this kind of security analysis is incomplete. In fact, 
due to photon-number splitting (PNS) attacks [19], [9], [20], 
Eve can successfully break down the security even when the 
QBER is 0%. 



Decoy states have been proposed as a useful method for sub- 
stantially improving the performance of QKD with coherent 
sources [21]. The security proof of decoy-state QKD is given 
in Ref. [22]. Afterwards, some practical decoy-state protocols 
are proposed [23], [24], [25]. Recently, a few decoy-state QKD 
experiments have been performed [26], [27], [28], [29]. In this 
paper, we will consider both decoy-state and non-decoy-state 
cases. 

The goal of this paper is to compare the two standard 
security proof results — ^Liitkenhaus and GLLP. We find that for 
realistic experimental parameters, with or without decoy states, 
the two security proof results give similar key generation 
rate and secure distance. Since unconditional security is the 
Holy Grail of QKD and GLLP (but not Liitkenhaus) gives 
unconditional security, our conclusion is that one should use 
GLLP as the standard criterion for security. 

In Section HI] we review a widely used QKD model to real 
experiments. In Section [111] we will compare two data post- 
processing schems, Liitkenhaus and GLLP for non-decoy and 
decoy-state QKD. 

II. Preliminaries 

Here we use a QKD model following [8], see also [25]. We 
do not repeat the details of the model here. To reproduce the 
simulation results, one may need to refer to Section II of [25]. 

The procedure of a QKD experiment, using BB84 protocol 
with coherent state, is as follows: 

1) In total, Alice sends Bob N pulses for QKD, containing 
Nfj, pulses for key transmission (signal states) and N — 

pulses for error testing or decoy states. In the Nf^ 
signal pulses, Alice and Bob have pulses using same 
bases (after basis reconciliation). 

2) Within the pulses. Bob gets a sifted key with a length 
of K^, where they measure the same bases and Bob gets 
detections. 

3) Alice and Bob choose a security analysis and perform a 
data post-processing scheme. 

Here we assume Alice uses a weak coherent state for key 
transmission. Define the expected photon number (intensity) 
of the weak coherent state as /i. 

Define q = N^/N. In BB84 scheme, q = 1/2 when N 
oo. Here subscript fi is the expected photon number of the 
coherent light used for key transmission as defined above. 

Define the gain — K^/N^, the probability for Bob to 
get a detection in a pulse that Alice and Bob use the same 
basis. 

Define the QBER = Kf/'^'/Kf^, the probability for Bob 
to get a wrong detection in a pulse that Alice and Bob use the 
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same basis. Here Kf,^^ is the number of erroneous bits in the 
sifted key. 

AUce knows what N and fi she uses for the key transmis- 
sion, and K^^^ can be directly counted from the data after 
the key transmission. AHce and Bob can estimate QBER from 
error testing, or they can count K'^^^^ after error correction. In 
fact, even without knowing the real QBER, they can directly 
apply a error correction scheme (e.g., the Cascade scheme 
[30]). If the error correction is successful, then it automatically 
provides the QBER, otherwise they restart the QKD. Thus, in 
a real QKD system, Alice and Bob may skip the error testing 
part. 

Assuming that the phase of each pulse is totally randomized, 
the photon number of each pulse follows a Poisson distribution 
with a parameter fi as its expected photon number We remark 
that the phase randomization procedure is crucial for the 
security of QKD [31]. The density matrix of the state emitted 
by Alice is given by 

oc ^ 
i=0 

where |0)(0| is the vacuum state and is the z-photon 

state for i = 1,2 ■ ■ ■ . The states with only one photon (i = 1) 
are called single photon states. The states with more than one 
photon (i > 2) are called multi photon states. 

Define Yt to be the yield of an i-photon state, i.e., the 
conditional probability of a detection event at Bob's detector 
given that Alice sends out an i-photon state. Note that Yq is 
the background rate including detector dark counts and other 
background contributions such as the stray light in the fiber. 
Consequently, define the error rate of i-photon state to be e^. 
The gain of i-photon states Qi is given by 

Q, = Y,^e-^^. (2) 

When i — 1, Qi and ei are the gain and error rate of single 
photon states. Note that Eve has the ability to change {Yi] and 
{ei} as she wishes, but she cannot change /i, which is set by 
Alice. Decoy states allow Alice and Bob to estimate channel 
transmittance and error rate accurately, which will restrict the 
Eve's freedom to adjust {Yi] and {e^}. This is the key reason 
why decoy states are useful for QKD [22]. 

III. Data post-processing schemes 

In this section, we will compare two data post-processing 
schemes, Liitkenhaus versus GLLP. During the comparison, 
we will apply two data post-processing schemes to both non- 
decoy and decoy state QKD. 

A. Liitkenhaus versus GLLP 

Here we compare data post-processing schemes based 
on two security analyses, Liitkenhaus [8] and GLLP [13]. 
Liitkenhaus scheme focuses on security against individual 
attacks, while GLLP scheme proves unconditional security. 

In the GLLP [13], there are so called tagged qubits in the 
discussion. The basis information of tagged qubits is somehow 
revealed to Eve. Thus tagged qubits are insecure for QKD. The 



idea is that Alice and Bob can (in principle) separate the qubits 
into two groups, tagged and untagged qubits, hence they only 
need to perform privacy amplification to the untagged qubits. 
The reason is as follows. The final key will be bitwise XOR 
of keys that could be obtained from the tagged and untagged 
qubits. If the key from untagged qubits is private and random, 
then it doesn't matter if Eve knows everything about tagged 
qubits — the sum is still private and random. 

Based on the tagged qubit idea, the procedure of the data 
post-processing is as follows. First, Alice and Bob perform 
the error correction, and if it is successfully done, they share 
an identical key. And then they calculate how much privacy 
amplification they should do (according to certain security 
analysis, which we will discuss soon). Finally they use random 
hashing (or other privacy amplification procedure) to get a final 
secure key. 

Due to PNS attack, we can regard qubits single photon states 
as untagged qubits and those from other (vacuum and multi 
photon) states as tagged qubits. Then we can compare the 
results of Liitkenhaus and GLLP schemes. We can rewrite the 
formula of the key generation rate by Liitkenhaus scheme 

R > q{-QME^) + Qi[l- log2(l + 4ei - 4e?)]}. (3) 

Similarly, as given in Eq. (11) in [22], we rewrite the key rate 
formula of GLLP 

R>q{-QME^)+Qi[l-H2{ei)]} (4) 

where Qi and ei are the gain and error rate of single photon 
states, and H2{x) = — a;log2(a;) — (1 — cc) log2(l — x) is the 
binary entropy function. Alice and Bob need to estimate Qi 
and ei given the data from QKD experiments. 

In both Eqs. Q and (0), the first term in the bracket 
is for error correction and the second one is for privacy 
amplification. The privacy amplification is only performed on 
the single photon part. In this manner, Liitkenhaus [8] has 
already applied the tagged qubits idea. 

Here due to PNS attacks [19], [9], [20], both Lutkenhaus 
and GLLP assume that the single photon states are the only 
source of untagged qubits for BB84. This may not true for 
other protocols. For example, in SARG04 [32], [33], two- 
photon states can be used to extract secure keys. 

Here is the key point of the whole paper. The difference 
between the Liitkenhaus and GLLP results appears in the 
privacy amplification part. We compare H2{e) with log2(l + 
4ei — Ae\) in Fig. [2 We can see that the difference of two 
functions are quite small. For this reason, in fact, Liitkenhaus 
and GLLP give very similar result in the key generation rate 
and distance of secure QKD. In what follows, we will illustrate 
this crucial point with examples of experimental parameters 
from previous QKD experiments. Our conclusion holds with 
and without using decoy states. 

B. Non-decoy-state QKD 

Without decoy states, Alice and Bob have to pessimistically 
assume that all losses and errors come from single photon 
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Fig. 1. GLLP vs. Liitkenhaus. The maximal deviation of two cui-ves is 
15.36% when the en'or rate is 3.85%. 



States. Thus 



Qi = Qfi - Pm 

QiiEn 



(5) 



where pm — 1 ^ (1 + A*) exp(— /i) is the probability that Alice 
sends out a multi photon state. We can recover Eq. (15) in [8] 
by substituting Eq. (|5} into Eq. (|3}- Let A ~ pulQii, we can 
recover Eq. (50) in [13] by substituting Eq. Q into Eq. 0. 

We compare the key generation rate of two data post- 
processing schemes based on Liitkenhaus and GLLP by sim- 
ulating four experiment setups [15], [16], [17], [18]. The key 
parameters are listed in TABLE |I] 





T8[15] 


G13[16] 


KTH[17] 


GYS[18] 


A [nm] 


830 


1300 


1550 


1550 


a [dB/km] 


2.5 


0.32 


0.2 


0.21 


ei [%] 


1 


0.14 


1 


3.3 


Vo [/pulse] 


10-'^ 


1.64 X 10-" 


4 X 10-* 


1.7 X 10"" 


riBoh [%] 


7.92 


8.14 


14.30 


4.5 



TABLE I 

Key parameters from four QKD experiment setups. 



Fig. 12 shows the relationship between key generation rate 
and the transmission distance, comparing two data post- 
processing schemes, Liitkenhaus and GLLP. For both schemes, 
we consider non-decoy state QKD. From Fig. |2] we can see 
that the key generation rate of GLLP is only slightly lower than 
that of Liitkenhaus. Here we emphasize that GLLP deals with 
the general attack, while Liitkenhaus is restricted to individual 
attack. 

We remark that the QBERs (ii^^'s) of four GLLP curves 
at maximal distances in Fig.|2are 4.57%, 4.80%, 4.80% and 
4.34%. Clearly it is far away from 11%, the tolerable QBER 
given in [5]. This is due to the fact that the QKD source is 
weak coherent state, while the security proof given in [5] is 
based on single photon source. 

Many of QKD experiments used [i ~ 0.1 as for key 
transmission. If using = 0.1 for GYS [18] setup, we find that 
Qii < Pm for all transmission distances. That is, for BB84, 



Fig. 2. shows the relationship between key generation rate and the 
transmission distance, compaiing two data post-processing schemes based on 
Liitkenhaus and GLLP security analyses. The key parameters are listed in 
TABLE n Here we consider non-decoy case and use the optimal expected 
photon number fi = tj [8]. Using Cascade protocol [30], the eiTor correction 
efficiency is 1.16. Details of the QKD simulation model appear in [25]. 



Eve can successfully perform PNS attacks [19], [9], [20] and 
obtain all the information about the key even when the QBER 
is 0%! 

C. Decoy-state QKD 

Here, we will give a data post-processing scheme following 
the security analysis of decoy state QKD [22]. 

In Eqs. Q and 0, q and can be directly counted from 
Bob's detection events. The QBER can be obtained from 
error testing or after error correction step. Alice and Bob can 
estimate Qi and ei with decoy states. Definitions of these 
variables are in Section HII 

As for Vacuum-i-Weak decoy state scheme [25], besides 
and Ef^ discussed in Section HH Alice and Bob will use Qyac 
(from the vacuum decoy), Qi, and E^ (from the weak decoy). 
The definitions are similar as and E"^ in Section HI] The 
intensity of weak decoy state is Alice and Bob can publicly 
compare all weak decoy states to get and iJ^. They can 
estimate the background count rate by vacuum decoy states 
Yq = Qvac- Then, they apply the formulas, Eq. (35) and 
Eq. (37) in [25], for the estimations of Qi and ei 



Qi > 



ei < 



— 

E^Q.e'' 



-Yo) 



eoYo 



(6) 



where eo = 1/2 is the error rate of vacuum decoy states. 



IS 



In summary, the data post-processing for decoy state QKD 

1) Alice announces to Bob which pulses are used for decoy 
states. They publicly compare all values of decoy states, 
and then calculate Qvac, Qv and E^. 

2) They sacrifice f{Ei^i)H{E^) part of the sifted key to do 
the error correction. Here f{E^) is the error correction 
efficiency. 
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3) Alice and Bob estimate the gain Qi and error rate ei of 
single photon states, using Eq. (|6jl with Yq = Qvac, Qu 
and E^. 

4) They calculate the final key rate R by Eq. Q or Q. 
According to R, they perform privacy amplification (say, 
random hashing) to get a final secure key with length of 
NR, where N the total number of pulses sent by Alice 
defined in Section IIIl 

We remark that in principle Alice and Bob can use decoy 
states to generate keys, but in practice it is more efficient 
if Alice and Bob compare all bit values of decoy states 
to minimize the statistical fluctuation. In other words, there 
always exists one optimal intensity for QKD and we use it 
for signal states. Suppose some of the decoy state pulses are 
used for key generation; it will be more efficient to transmit 
these pulses using the signal (optimal) intensity. Thus, only 
the signal pulses are used for key generation. 

Note that for a finite length QKD, Alice and Bob need to 
consider statistical fluctuations. A similar procedure will still 
be applicable. The only difference will be the formulas for 
estimations of Qi and ei. Statistical fluctuations are discussed 
in [23], [25]. As mentioned in [25], a rough way to estimate 
the statistical fluctuations is assuming Gaussian distribution of 
Qv, En and Yq. Take the lower bound of Qi, and Iq and the 
upper bound of E^, to estimate Qi and ei. Other procedures 
are the same as used above. For simplicity, here we skip the 
statistical fluctuations. 

Note that the efficiency of error correction and privacy 
amplification can also be included into Eq. (|3} and 0. In 
our simulations, we only consider the efficiency of error 
correction. 

The comparison of Liitkenhaus and GLLP for decoy-state 
QKD is shown in Fig. |3l From the figure, we can see that the 
performance of two schemes are very close when decoy states 
are used. 
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Fig. 3. shows the relationship between Icey generation rate and the 
transmission distance for decoy state QKD, comparing Lutkenhaus and GLLP. 
The key parameters are listed in TABLE0 Using the Cascade protocol [30], 
the en'or coiTection efficiency is 1.16. Here we assume the efficiency of privacy 
amplification is I. Details of QKD simulations can be seen in [25]. 



For comparison, we list the QBERs of four GLLP curves 



at maximal distance in Fig. |3 are 5.19%, 4.21%, 5.11% and 
6.8%. We can see that these four values are close to those given 
by Fig. |2] of non-decoy state QKD. This is because stronger 
signals are allowed to use when decoy states are implemented, 
and then the QBER drops down, which cancels out the increase 
of QBER by higher channel loss. 

Based on the simulation results of four QKD setups, we find 
that there is little to gain by restricting the security analysis 
to individual attacks, given that the two schemes — Lutkenhaus 
vs. GLLP — provide very close performances. In other words, 
our view is that one is better off considering unconditional 
security, rather than restricting to individual attacks. 

D. One example 

Decoy state QKD experiments has recently been performed 
[26], [27], [28], [29]. We analyze a decoy state QKD exper- 
iment over 60km fiber experiment [27] as an example here. 
All raw experiment data are listed in TABLE Hll 



Distance 


A 


N 


Nvac 




GOfcm 


1550nm 


104.8Affe 


16.63Af6 


1033?) 


M 




ATS 






0.55 


66.86Afb 


33.40Affe 


60.50/cfe 


18456 


V 










0.152 


21.34Afb 


10.69Affe 


5397b 


4556 



TABLE II 

Raw QKD experiment parameters from [27]. The unit h stands for bit. 



From TABLE we can calculate the key parameters for 
security analysis, listed in TABLE |lll] The definitions are 
given in Section Hll 



<? 






— Qvac 




0.319 


1.81 X 10"^ 


3.05% 


1.11 X 10-* 


5.47 X 10"* 



TABLE III 

Key parameters for the security analysis of [27] derived from TABLE IHI 



Now, we can apply the data post-processing for decoy state 
QKD. We can estimate Qi by Eq. (|6j. For ei we use a different 
formula 



ei < 



(7) 



The reason is that in the real experiment [27], ei of decoy 
states deviates largely from that of signal states. The deviation 
is caused by the imperfections of attenuators. Thus, we use the 
QBER of signal states E^ to estimate ei. It reminds us the key 
assumption of decoy state QKD: all Y^ and are the same in 
the signal states and in the decoy states [22]. 

Substituting parameters of TABLE HiH into Eqs. (|6j and (0, 
we get Qi > 8.50 x 10"'' and ei < 2.73%. Then we apply the 
Cascade error correction scheme [30], sacrificing a fraction of 
1.16H2{Efj,) = 0.486 of the sifted key, where 1.16 is the error 
correction efficiency. Then from Eqs. Q and 0, we get the 
key generation rate RLutkenhaus = 9.98 x 10"^ and Rgllp = 
9.04 X 10~^ . We randomly choose parities and obtain a final 

key with length of KLutkenhaus = N RLutkenhaus = 10.5fc6it 

and Kgllp = NRqllp = 9A7kbit . We can see the 
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difference between the key lengths of GLLP and Liitkenhaus is 
within 10%. For the case of considering statistical fluctuations, 
one can refer to [27]. 

IV. Conclusion 

In this paper, we compare the security analysis of 
Liitkenhaus, against individual attack, and Gottesman-Lo- 
Liitkenhaus-Preskill, general security analysis. Our simulation 
results show that these two schemes provide close perfor- 
mances. Thus, we conclude that one is better off considering 
unconditional security, rather than restricting to individual 
attacks. In the security analysis, we emphasize that the QBER 
is not the only criterion of security due to the imperfections 
of QKD setups. 
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